Solved Adding additional GELI encrypted devices to decrypt at boot time-ZFS on Root without boot partition

freebsdinator

Member

Reaction score: 10
Messages: 51

I just performed a FreeBSD 11.0 install using the guided ZFS install option with encryption enabled.

After installing, I'd now like to add an additional set of disks to decrypt at boot-time, ideally, using the same process as the root drives.

Could anyone point me to the documentation as to how to achieve this?

So far, I haven't had much luck in being able to tie-in to decrypting at boot. I know I could encrypt the extra drives using a key on the encrypted root and have them decrypt once the system boots, but I'd rather not add this extra layer if I can avoid it.

Thanks!
 
OP
OP
F

freebsdinator

Member

Reaction score: 10
Messages: 51

Hey Getopt, I've been referencing that guide, but I'm not seeing how it explains how to tie into the existing boot loader decryption procedure.
 

ANOKNUSA

Aspiring Daemon

Reaction score: 372
Messages: 675

Per the geli(8) man page, when you initialize a GELI provider you need to add the -b flag in order for the bootloader to try and decrypt it at boot time. You can also run geli configure -b on block devices that have already been initialized with GELI. The passphrase to unlock the drives will either be asked for during the boot process (default), or you can configure the boot menu to prompt you for the passphrase before booting begins. (I don't have my loader.conf for my server handy, and I can't remember what line needs to be added to get the menu prompt. Sorry. :()

Once you provide GELI a passphrase and/or key for a block device during/before boot, then once you've provided it the system will try to unlock all block devices with that passphrase and/or key. So if they're all the same, you only need to provide it once for each block device.
 
OP
OP
F

freebsdinator

Member

Reaction score: 10
Messages: 51

Hey ANOKNUSA;

That got me where I needed to go. Do you know if the encrypted install option for FreeBSD 11 generates a key file or does it simply rely on a password encryption? I just want to ensure I have the procedure down when I have to swap out drives in the future or need to perform data recovery.

For my future notes and anyone who is curious. I added 2 media drives with ZFS following an encrypted ZFS install from FreeBSD 11:

gpart create -s gpt ada0
gpart create -s gpt ada1

gpart add -t freebsd-zfs -a 1M -l encmedia1 /dev/ada0
gpart add -t freebsd-zfs -a 1M -l encmedia2 /dev/ada1

geli init /dev/ada0p1
geli init /dev/ada1p1

geli configure -b /dev/ada0p1
geli configure -b /dev/ada1p1

geli attach /dev/ada0p1
geli attach /dev/ada1p1

zpool create zmedia mirror /dev/ada0p1.eli /dev/ada1p1.eli
 

ANOKNUSA

Aspiring Daemon

Reaction score: 372
Messages: 675

It generates a keyfile, which I believed is stored somewhere in /boot and has a very obvious name. I've always just used a passphrase myself. GELI allows you to use multiple keys/passphrases per provider, so you can always add a new keyfile and/or passphrase to the second disk. Or you can use the same keyfile and passphrase for eash disk, and then add an extra-strong emergency passphrase in case the keyfile is damaged. Or anything else you might think to do with it.

As always, once you've got a working GELI set-up, make sure you've got backups before you go playing around with it again. ;)
 

Ivahth0g

New Member


Messages: 1

With ANOKNUSA's hint, I found a solution for a slightly different issue I came up with:

Unfortunately, there are tons of advice out there how to install FreeBSD on a manually created GELI'd zpool, but hardly any insights in what the 10+ installer/loader does automatically to decrypt the devices at boot.

I had installed 11.0 on an encrypted zpool, mirror of 2 HDDs.
There were random device renames (flaky USB, I know it's bad...), and one device of my mirrored root pool was no longer found reliably through reboots (by the bootloader; once the OS was up, the device was normally visible).

So I had degraded boot and root pools, which is no good; but at least with geli attach -k /boot/encryption.key /dev/da0s1d I now know how to attach the encrypted partition to be zpool onlined again by hand.

Maybe this is useful for someone else stumbling over the limited device naming cleverness at boot time.
 
OP
OP
F

freebsdinator

Member

Reaction score: 10
Messages: 51

I'm not sure if you're still monitoring, but I just attempted to add more drives and I had drives drop out of the pool.

Be sure to use drive ID's or at least labels for the GELI encrypted drives (as well as use the boot flag) when you initialize the encryption drives, so you can avoid this headache in the future.
 
Top